Continuous integration/Phan/phan-taint-check-plugin
phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code. It is internally also known as SecurityCheckPlugin
.
It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.
This page is just a stub so far, for more information, see README.
Running on Wikimedia Jenkins
[edit]You can test any extension in Wikimedia version control by writing a comment check experimental
on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config
>= 0.10.2, and ensuring that the phan CI job is installed for your repo. Note that phan-taint-check should run as part of mwext-phpXY-phan-docker
within CI without needing to specifically comment check experimental
.
Running locally
[edit]Starting with mediawiki-phan-config 0.10.0, taint-check comes bundled with the default MediaWiki configuration. As such, you should follow the instructions for running phan.
Dependencies
[edit]The plugin has the same dependencies as mediawiki-phan-config. Namely:
- phan/phan (the version is pinned and constantly updated)
- PHP >= 7.4
- Optionally, php-ast (install instructions) will make it faster (it's worth the pain of compiling/installing the extension!)
External links
[edit]- Browse source code (Gerrit)
- Web demo
- Other projects